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DETAILED ACTION 
Response to Amendment 

1 . This action is in response to the amendment filed 02/1 6/2005. Claims 1 -2, 7-8, 
10-11, 13 and 21 have been amended; claim 9 has been canceled; claim 22 has been 
added. 

Response to Arguments 

2. Applicant's arguments with respect to the Katz reference in the rejections of 
claims 1-13, 15, 17-19 and 21 (p. 7, 2 nd par.) have been considered but are not 
persuasive. Applicant's amendments have necessitated a new search and new 
grounds of rejection. 

3. Applicant's arguments filed 02/1 6/2005 have been fully considered but they are 
not persuasive. 

Applicant argues that the Mansfield control center does not receive the statistical 
information from the data collector (p. 6, last par). Mansfield discloses using RMON 
(Remote Monitoring) devices to collect and send statistical data regarding the network 
flow to the NMS (Network Management System) where the collected data is compared 
and correlated (Section 3.1, Traffic-flow signatures). 

Applicant argues that Katz does not teach a redundant network that does not 
carry the packet traffic (p. 7, 2 nd par and p. 1 1 , 1 st par). Applicant's arguments have 
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been considered but are not persuasive. Applicant's amendments have necessitated a 
new search and new grounds of rejection. 

Applicant argues that Mansfield does not disclose dividing the traffic flow into 
buckets that track counts of how many packets a data collector examines for a given 
parameter (p. 8, 5 th par). Mansfield discloses dividing the traffic flow into different 
categories and using memory spaces to track counts of how many packets a data 
collector examines for a given parameter (p. 4, last par). A bucket can be implemented 
in different ways and since Mansfield uses memory spaces to track counts of packets 
for a given parameter, the memory spaces meet the limitation of buckets. Applicant 
argues that Zait does not disclose adjusting the number of buckets by combining 
several buckets into fewer buckets or dividing a bucket into more buckets (p. 8, last par) 
and there is no suggestion to combine the reference (p. 9, 2 nd par). Zait discloses 
adjusting the number of buckets by dividing a bucket into smaller buckets and provides 
motivation to combine the reference (col. 10, lines 16-37). 

Regarding the features relied upon and/or motivation for using the references 
Roesch ("Snort-Lightweight Intrusion Detection for Networks") and Eichstaedt et al 
(6,662,230), please refer to the corresponding rejections in the previous Office Action. 

Claim Objections 

4. Claim 2 is objected to because of the following informalities: the phrase "a 
redundant network" is repeated in line 7. Appropriate correction is required. 
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Claim Rejections • 35 USC §112 

5. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

6. Claim 1 1 is rejected under 35 U.S.C. 1 12, second paragraph, as being indefinite 
for failing to particularly point out and distinctly claim the subject matter which applicant 
regards as the invention. Claim 1 1 recites the limitation "the generated statistics" in line 
5. There is insufficient antecedent basis for this limitation in the claim. The limitation is 
interpreted as "the generated data". 

Claim Rejections - 35 USC § 103 

7. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

8. Claims 1-3, 5-8, 10-13, 15, 17-19 and 21-22 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over Mansfield ("Towards Trapping Wily Intruders in the Large") 
in view of Mell et al ("Mobile Agent Attack Resistant Distributed Hierarchical Intrusion 
Detection Systems"). . 

Regarding claims 1-3, 1 1 and 21, Mansfield discloses a method for a data 
collector to collect data from sampled network traffic comprising: sampling packet traffic 
over a network and generating statistical information about the packet traffic on the 
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network (Section 3, Detection of Intrusions from traffic-flow signatures; Section 5, 
Implementations and Results); parsing the information in the sampled packets and 
maintaining the information in a log (Section 3, Detection of Intrusions from traffic-flow 
signatures); and delivering the generated statistics over a network to a central control 
center (Section 5, Implementations and Results; Section 3.1, Traffic-flow signature). 

Mansfield does not disclose utilizing a redundant network that does not carry the 
packet traffic to deliver the generated statistics to a central control center. Mell 
discloses utilizing a separate and protected network for communications between data 
collectors and a control center (Section 2.0, Background on Distributed Hierarchical 
IDSs; Section 3.0, Vulnerable Systems). It would have been obvious to one of ordinary 
skill in the art at the time the invention was made to modify the Mansfield method to 
utilize a separate and protected network for communications between the data collector 
and the control center, as taught by Mell, so that the data collector would not be isolated 
in the event an attacker floods the communication channel on which the data collector is 
residing. 

Regarding claim 5, Mansfield further discloses that the information collected by 
the data collector includes source information and destination information (Table 1; 
Section 3, Detection of Intrusions from traffic-flow signatures). 

Regarding claim 6, Mansfield further discloses that the data collector collects the 
information but does not log the sampled packets (Section 3.1, Traffic-flow signature). 
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Regarding claim 7, Mansfield further discloses that the data collector analyzes 
the collected statistics and produces a message that raises an alarm to the control 
center (Section 5, Implementations and Results). 

Regarding claims 8 and 22, Mansfield further discloses that the data collector 
includes a communication process to respond to queries from the control center for 
information concerning characteristics of packet traffic on the network (Section 5, 
Implementations and Results). 

Regarding claim 10, Mansfield further discloses that the query can be a request 
to download via the redundant network, a portion of a log of the collected information 
(Section 5, Implementations and Results) maintained by the data collector. 

Regarding claim 12, Mansfield further discloses monitoring packet count, which 
is a parameter of traffic flow, at two levels of granularity (p. 5, 1 st par., "The initial 
threshold will need ... ball rolling"; Section 3.2, Definition of traffic-flow signature). 

Regarding claim 13, Mansfield further discloses that monitoring the parameter at 
multiple levels of granularity is used to trace the source of an attack (Section 5, 
Implementations and Results). 

Regarding claim 15, Mansfield further discloses applying multi-level analysis 
monitor TCP packet ratios, repressor traffic and statistics based Layer 3-7 analysis 
(Section 3.3, Correlating traffic-flow signatures; Section 4, Map-based distributed 
Intrusion tracing; Table 1 ; Section 2, Characteristics of Network Intrusions). 



Application/Control Number: 09/931 ,558 Page 7 

Art Unit: 2132 

Regarding claim 17, Mansfield further discloses monitoring network traffic for 
ICMP packets with broadcast destination addresses (Section 3.4, Experimental 
evaluation). 

Regarding claim 18, Mansfield further discloses monitoring network traffic 
protocol (TCP) or user datagram protocol (UDP) packets addressed to unused ports 
(Table 1). 

Regarding claim 19, Mansfield further discloses monitoring network traffic for 
transmission control protocol (TCP) ACK packets that do not belong to a known 
connection (Section 4, Map-based distributed Intrusion tracing). 

9. Claim 4 is rejected under 35 U.S.C. 103(a) as being unpatentable over Mansfield 
in view of Mell. Mell discloses using a dedicated line (Section 3.0, Vulnerable Systems). 
Mell does not disclose that the dedicated line is a leased line. However, Examiner 
takes Official Notice that using a leased line as a dedicated line is well known in the art. 
It would have been obvious at the time of the invention was made to use a leased line 
as a dedicated line since Examiner takes Official Notice that using a leased line as a 
dedicated line so that there is no need to build and/or maintain a network is well known 
in the art. 

1 0. Claim 1 4 is rejected under 35 U.S.C. 1 03(a) as being unpatentable over 
Mansfield in view of Mell as applied to claim 13 above, and further in view of Zait et al 
(6,665,684). Mansfield discloses dividing the traffic flow and using memory spaces to 
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track counts of how many packets a data collector examines for a given parameter (p. 
5, 1 st par., "The initial threshold will need ... ball rolling"). The memory spaces meet the 
limitation of buckets. Mansfield does not disclose adjusting the number of buckets as 
the number of buckets approaches a bucket threshold, by combining several buckets 
into fewer buckets or dividing a bucket into more buckets. Zait discloses adjusting the 
number of buckets as the number of buckets approaches a threshold, by dividing a 
bucket into more buckets (col. 10, lines 25-32). Mansfield and Zait are analogous art 
because they are from a similar problem solving area, efficient storing and searching for 
data. It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the combined method of Mansfield and Mell to adjust the 
number of buckets as the nurhber of buckets approaches a threshold, by dividing a 
bucket into more buckets, as taught by Zait, so that the granularity level matches a 
degree of parallelism when the degree of parallelism exceeds a threshold. 

1 1 . Claim 1 6 is rejected under 35 U.S.C. 1 03(a) as being unpatentable over 
Mansfield in view of Mell as applied to claim 15 above, and further in view of Roesch 
("Snort-Lightweight Intrusion Detection for Networks"). Mansfield and Katz do not 
disclose monitoring network traffic for fragmented IP packets. Roesch discloses 
monitoring network traffic for fragmented IP packets (p. 230, right col., "Snort currently 
addresses IP fragmentation ... sent by Snort automatically"). It would have been 
obvious to one of ordinary skill in the art at the time the invention was made to modify 
the combined method of Mansfield and Mell to monitor network traffic for fragmented IP 
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packets, as taught by Roesch, so that fragmented packet probes and attacks could be 
logged and alerts could be generated. 

12. Claim 20 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Mansfield in view of Mell as applied to claim 15 above, and further in view of Eichstaedt 
ef al (6,662,230). Mansfield and Katz do not disclose monitoring network traffic 
generated not by a human user over a persistent HTTP connection. Eichstaedt 
discloses monitoring network traffic generated not by a human user over a persistent 
HTTP connection (col. 1, lines 49-63; col. 6, lines 20-33). It would have been obvious to 
one of ordinary skill in the art at the time the invention was made to modify the 
combined method of Mansfield and Mell to monitor network traffic generated not by a 
human user over a persistent HTTP connection, as taught by Eichstaedt, in order to 
prevent overcrawling by robots that make too frequent requests. 

13. Claims 1-3, 5-8, 10-13 and 21-22 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Stallings ("Cryptography And Network Security: Principles and 
Practice") in view of Mell. 

Regarding claims 1-3, 1 1 and 21, Stallings disclose a method for a data collector 
to collect data from sampled network traffic comprising: sampling packet traffic over a 
network and generating statistical information about the packet traffic on the network (p. 
499, "One or more node ... could be valuable"; p. 500, "The LAN monitor agent ... 
activities such as rlogin"; figures 15.5 and 15.6); parsing the information in the sampled 
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packets and maintaining the information in a log (p. 499, "The scheme is designed ... 
host audit record (HAR)"); and delivering the generated statistics over a network to a 
central control center (fig. 15.6). 

Stallings does not disclose utilizing a redundant network that does not carry the 
packet traffic to deliver the generated statistics to a central control center. Mell et al 
("Mobile Agent Attack Resistant Distributed Hierarchical Intrusion Detection Systems") 
discloses utilizing a separate and protected network for communications between data 
collectors and a control center (Section 2.0, Background on Distributed Hierarchical 
IDSs; Section 3.0, Vulnerable Systems). It would have been obvious to one of ordinary 
skill in the art at the time the invention was made to modify the Stallings method to 
utilize a separate and protected network for communications between the data collector 
and the control center, as taught by Mell, so that the data collector would not be isolated 
in the event an attacker floods the communication channel on which the data collector is 
residing. 

Regarding claim 5, Stallings further discloses that the information collected by 
the data collector includes source information and destination information (p. 500, "The 
LAN monitor agent ... such as rlogin"). 

Regarding claim 6, Stallings further discloses that the data collector collects the 
information but does not log the sampled packets (p. 500, "The LAN monitor agent ... 
such as rlogin"). 
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Regarding claim 7, Stallings further discloses that the data collector analyzes the 
collected statistics and produces a message that raises an alarm to the control center 
(p. 500, "When suspicious activity is detected ... from other agents"). 

Regarding claims 8 and 22, Stallings further discloses that the data collector 
includes a communication process to respond to queries from the control center for 
information concerning characteristics of traffic on the network (p. 500, "When 
suspicious activity is detected ... from other agents"; fig. 15.6). 

Regarding claim 10, Stallings further discloses that the query can be a request to 
download via the redundant network, a portion of a log of the collected information (p. 
499, "One or more nodes ... information could be valuable"; fig. 15.6). 

Regarding claim 12, Stallings further discloses monitoring a parameter of traffic 
flow at different levels of granularity (p. 495, "The simplest statistical test ... and 
resource measures"). 

Regarding claim 13, Stallings further discloses that monitoring the parameter at 
multiple levels of granularity is used to trace the source of an attack (p. 500, "At the 
lowest level ... file accessed, and the like"). 

14. Claim 4 is rejected under 35 U.S.C. 103(a) as being unpatentable over Stallings 
in view of Mell. Mell discloses using a dedicated line (Section 3.0, Vulnerable Systems). 
Mell does not disclose that the dedicated line is a leased line. However, Examiner 
takes Official Notice that using a leased line as a dedicated line is well known in the art. 
It would have been obvious at the time of the invention was made to use a leased line 
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as a dedicated line since Examiner takes Official Notice that using a leased line as a 
dedicated line so that there is no need to build and/or maintain a network is well known 
in the art. 

Conclusion 

15. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Messmer, "Security needs spawn services - Manged detection services growing 
in popularity" 

U.S. Patent No. 6,381,649 to Carlson 

U.S. Patent Application Publication No. 2002/0023089 A1 to Woo 

1 6. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 

§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
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the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Minh Dinh whose telephone number is 571-272-3802. 
The examiner can normally be reached on Mon-Fri: 10:00am-6:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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